MDKSA-2005:022

Problem description

A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with
this advisory:
- Multiple race conditions in the terminal layer of 2.4 and 2.6
kernels (prior to 2.6.9) can allow a local attacker to obtain
portions of kernel data or allow remote attackers to cause a kernel
panic by switching from console to PPP line discipline, then quickly
sending data that is received during the switch (CAN-2004-0814)
- Richard Hart found an integer underflow problem in the iptables
firewall logging rules that can allow a remote attacker to crash the
machine by using a specially crafted IP packet. This is only
possible, however, if firewalling is enabled. The problem only
affects 2.6 kernels and was fixed upstream in 2.6.8 (CAN-2004-0816)
- Stefan Esser found several remote DoS confitions in the smbfs file
system. This could be exploited by a hostile SMB server (or an
attacker injecting packets into the network) to crash the client
systems (CAN-2004-0883 and CAN-2004-0949)
- Paul Starzetz and Georgi Guninski reported, independantly, that bad
argument handling and bad integer arithmetics in the IPv4 sendmsg
handling of control messages could lead to a local attacker crashing
the machine. The fixes were done by Herbert Xu (CAN-2004-1016)
- Rob Landley discovered a race condition in the handling of
/proc/.../cmdline where, under rare circumstances, a user could read
the environment variables of another process that was still spawning
leading to the potential disclosure of sensitive information such as
passwords (CAN-2004-1058)
- Paul Starzetz reported that the missing serialization in
unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by
a local attacker to gain elevated (root) privileges (CAN-2004-1068)
- Ross Kendall Axe discovered a possible kernel panic (DoS) while
sending AF_UNIX network packets if certain SELinux-related kernel
options were enabled. By default the CONFIG_SECURITY_NETWORK and
CONFIG_SECURITY_SELINUX options are not enabled (CAN-2004-1069)
- Paul Starzetz of isec.pl discovered several issues with the error
handling of the ELF loader routines in the kernel. The fixes were
provided by Chris Wright (CAN-2004-1070, CAN-2004-1071,
CAN-2004-1072, CAN-2004-1073)
- It was discovered that hand-crafted a.out binaries could be used to
trigger a local DoS condition in both the 2.4 and 2.6 kernels. The
fixes were done by Chris Wright (CAN-2004-1074)
- Paul Starzetz found bad handling in the IGMP code which could lead
to a local attacker being able to crash the machine. The fix was
done by Chris Wright (CAN-2004-1137)
- Jeremy Fitzhardinge discovered two buffer overflows in the
sys32_ni_syscall() and sys32_vm86_warning() functions that could be
used to overwrite kernel memory with attacker-supplied code resulting
in privilege escalation (CAN-2004-1151)
- Paul Starzetz found locally exploitable flaws in the binary format
loader's uselib() function that could be abused to allow a local
user to obtain root privileges (CAN-2004-1235)
- Paul Starzetz found an exploitable flaw in the page fault handler
when running on SMP machines (CAN-2005-0001)
- A vulnerability in insert_vm_struct could allow a locla user to
trigger BUG() when the user created a large vma that overlapped with
arg pages during exec (CAN-2005-0003)
- Paul Starzetz also found a number of vulnerabilities in the kernel
binfmt_elf loader that could lead a local user to obtain elevated
(root) privileges (isec-0017-binfmt_elf)
The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.
To update your kernel, please follow the directions located at:
http://www.mandrakesoft.com/security/kernelupdate
PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the
latest module-init-tools package prior to upgrading their kernel.
Likewise, MNF8.2 users will need to upgrade to the latest modutils
package prior to upgrading their kernel.